Attached please find various materials related to an [unsuccessful] attempt to configure both ipsec and nat44 on a single interface. Topology:

 Inside network #1                                                                               Inside network #2

 192.168.1.0/24 <--> vpp #1 <-> “The Internet” <-> vpp #2 <--> 192.168.2.0/24
                                                 split-tunnel: ipsec or nat44

 Config files attached.  

 First problem: ipsec4-input-feature must run before nat44-out2in, but there’s a missing feature-arc constraint. See attached feature_diff.txt.

Next problem: feature arc misbehavior. See the attached “pcap dispatch trace...” dispatch.pcap [required the vpp-aware version of wireshark]. To save you the trouble, here is the packet trajectory:

 Ip4-input-no-checksum (encrypted pkt, feature arc enable) -> ipsec4-input-feature -> esp4-decrypt -> ip4-input-no-checksum (inner decrypted pkt, feature arc enabled (oh boy)) -> ipsec4-input-feature (not necessary, but nothing awful happens) -> nat44-out2in (screwed!) -> error-drop

 If there’s some other way to configure this scenario which works, please let me know. Otherwise, we need to avoid hitting nat44-out2in.

I’ve resorted to adding “xxx-no-feature-arc-processing” variant nodes in the past, so that esp4-decrypt could send decapsulated / decrypted traffic through the mandatory ip4 input checks. I’m not sure that’s the right approach here. It might make sense to add a buffer flag which means “do nothing in nat44-out2in.”